Bug#561918: client certificate authentication broken
FYI: RFC 5746 provides the solution to the renegotiation security attack. Cheers, Chris. This message was sent using IMP, the Internet Messaging Program. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#561918: client certificate authentication broken
On Sun, Feb 28, 2010 at 03:45:06AM +0100, Christoph Anton Mitterer wrote: FYI: RFC 5746 provides the solution to the renegotiation security attack. And it is planned for 3.12.6. Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#561918: client certificate authentication broken
Can you try after setting the NSS_SSL_ENABLE_RENEGOTIATION environment variable to 1 ? (with nss 3.12.5-1, obviously). Running iceweasel from a terminal using the following solved the issue for me: NSS_SSL_ENABLE_RENEGOTIATION=1 iceweasel -- Oliver -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#561918: client certificate authentication broken
On Wed, Dec 30, 2009 at 08:36:11AM +0100, Mike Hommey wrote: On Tue, Dec 29, 2009 at 11:45:48PM +0100, Alexander Kurtz wrote: Hi, Since I didn't find a copy of libnss3-1d 3.12.4-1, I wanted to mention that the lenny version[1] of libnss3-1d works without problems with squeeze (and probably sid too) so using this version until this bug is fixed is easily possible. You can also add NSS_SSL_ENABLE_RENEGOTIATION=1 in /etc/iceweasel/iceweaselrc. Are you sure ? I've been hit by that bug, and that didn't help solving it for 3.5.6-1 I had to manually issue : NSS_SSL_ENABLE_RENEGOTIATION=1 iceweasel on the command-line to get it to work. Best regards, -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#561918: client certificate authentication broken
On Wed, Jan 06, 2010 at 01:29:13PM +0100, Olivier Berger wrote: On Wed, Dec 30, 2009 at 08:36:11AM +0100, Mike Hommey wrote: On Tue, Dec 29, 2009 at 11:45:48PM +0100, Alexander Kurtz wrote: Hi, Since I didn't find a copy of libnss3-1d 3.12.4-1, I wanted to mention that the lenny version[1] of libnss3-1d works without problems with squeeze (and probably sid too) so using this version until this bug is fixed is easily possible. You can also add NSS_SSL_ENABLE_RENEGOTIATION=1 in /etc/iceweasel/iceweaselrc. Are you sure ? I've been hit by that bug, and that didn't help solving it for 3.5.6-1 I had to manually issue : NSS_SSL_ENABLE_RENEGOTIATION=1 iceweasel on the command-line to get it to work. Ah, sorry, you need to export the variable, so that'd be export NSS_SSL_ENABLE_RENEGOTIATION=1 in /etc/iceweasel/iceweaselrc. Cheers, Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#561918: client certificate authentication broken
Hi, Since I didn't find a copy of libnss3-1d 3.12.4-1, I wanted to mention that the lenny version[1] of libnss3-1d works without problems with squeeze (and probably sid too) so using this version until this bug is fixed is easily possible. Cheers Alexander Kurtz [1] http://packages.debian.org/lenny/libnss3-1d signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Bug#561918: client certificate authentication broken
On Tue, Dec 29, 2009 at 11:45:48PM +0100, Alexander Kurtz wrote: Hi, Since I didn't find a copy of libnss3-1d 3.12.4-1, I wanted to mention that the lenny version[1] of libnss3-1d works without problems with squeeze (and probably sid too) so using this version until this bug is fixed is easily possible. You can also add NSS_SSL_ENABLE_RENEGOTIATION=1 in /etc/iceweasel/iceweaselrc. Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#561918: client certificate authentication broken
On Mon, Dec 21, 2009 at 10:34:09AM +0100, Christoph Anton Mitterer wrote: Package: libnss3-1d Version: 3.12.5-1 Justification: renders package unusable Severity: grave Hi. With the most recent version, client certificate authentication is broken. An error occurs even before iceweasel, epiphany, etc. ask for the certificate to select. downgrading to 3.12.4-1 fixes the problem. Can you try after setting the NSS_SSL_ENABLE_RENEGOTIATION environment variable to 1 ? (with nss 3.12.5-1, obviously). Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#561918: client certificate authentication broken
Hello Mike, On Tue, Dec 22, 2009 at 20:37, Mike Hommey m...@glandium.org wrote: On Mon, Dec 21, 2009 at 10:34:09AM +0100, Christoph Anton Mitterer wrote: Package: libnss3-1d Version: 3.12.5-1 Justification: renders package unusable Severity: grave Hi. With the most recent version, client certificate authentication is broken. An error occurs even before iceweasel, epiphany, etc. ask for the certificate to select. downgrading to 3.12.4-1 fixes the problem. Can you try after setting the NSS_SSL_ENABLE_RENEGOTIATION environment variable to 1 ? (with nss 3.12.5-1, obviously). Mike I have tested and this variable fixes the bug (with nss 3.12.5-1). -- Regards: Martin Spasov -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#561918: client certificate authentication broken
On Tue, Dec 22, 2009 at 11:42:02PM +0100, Christoph Anton Mitterer wrote: Hi Mike. On Tue, 2009-12-22 at 19:37 +0100, Mike Hommey wrote: Can you try after setting the NSS_SSL_ENABLE_RENEGOTIATION environment variable to 1 ? (with nss 3.12.5-1, obviously). Yes this fixes the problem. This just confirms the diagnostic, which is that nss 3.12.5 disabled renegotiation because of CVE-2009-3555. Now, we need to decide how to allow client authentication without putting users too much at risk. Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#561918: client certificate authentication broken
Hi Mike. On Tue, 2009-12-22 at 19:37 +0100, Mike Hommey wrote: Can you try after setting the NSS_SSL_ENABLE_RENEGOTIATION environment variable to 1 ? (with nss 3.12.5-1, obviously). Yes this fixes the problem. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#561918: client certificate authentication broken
On Tue, 2009-12-22 at 23:59 +0100, Mike Hommey wrote: This just confirms the diagnostic, which is that nss 3.12.5 disabled renegotiation because of CVE-2009-3555. Now, we need to decide how to allow client authentication without putting users too much at risk. ok,.. I've already suspected this after your hint ;) However, I thought that disabling this wouldn't break login to sites. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#561918: client certificate authentication broken
Package: libnss3-1d Version: 3.12.5-1 Justification: renders package unusable Severity: grave Hi. With the most recent version, client certificate authentication is broken. An error occurs even before iceweasel, epiphany, etc. ask for the certificate to select. downgrading to 3.12.4-1 fixes the problem. Cheers, Chris. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.31-heisenberg (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libnss3-1d depends on: ii dpkg 1.15.5.4 Debian package management system ii libc6 2.10.2-2 GNU C Library: Shared libraries ii libnspr4-0d 4.8.2-1NetScape Portable Runtime Library ii libsqlite3-0 3.6.21-2 SQLite 3 shared library libnss3-1d recommends no packages. libnss3-1d suggests no packages. -- no debconf information This message was sent using IMP, the Internet Messaging Program. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org